You are here

IGF 2017 - Best Practice Forum on Cybersecurity

 

INTRO & INSTRUCTIONS

 

The BPF Cybersecurity aims to be bottom-up, open and inclusive and therefore invites all interested to comment and contribute on its draft output document.

After each section there's a possibility to leave comments by clicking on 'Add new comment'. Comments are schown in column on the right.

For clarity, footnotes and references are not shown on this review platform.  You can find them in the formatted draft .

 

document structure:

Part I:  Framinig the 2017 BPF on Cybersecurity

Part II: Cybersecurity as an Enabler for Development

  1. Cybersecurity's ability to support the SDGs
  2. Policy options to mediate cybersecurity threats
  3. Areas to develop further stakeholder conversation

Part III: Conclusions and Way Forward

Part I: Framing the 2017 IGF Best Practice Forum Cybersecurity

Introduction

The Best Practice Forum (BPF) on Cybersecurity is part of the 2017 intersessional work programme feeding into the 12th annual meeting of the Internet Governance Forum (IGF) held in Geneva, Switzerland from 18 to 21 December 2017.

The BPF aims to both produce a tangible output[1] and provide a broad multistakeholder platform for engagement on cybersecurity policy matters, which increases existing cooperation and builds new synergies amongst cybersecurity initiatives and processes. The BPF Cybersecurity as such fits well under the overall theme of the 2017 IGF, Shape Your Digital Future! .

The BPF on Cybersecurity grew out of the BPF Establishing and supporting Computer Security Incident Response Teams (CSIRTs) for Internet security, and the BPF Regulation and Mitigation of unsolicited Communications, both of which ran during 2014 and 2015.[2]

As an outcome of both groups, it was identified that the topics they had tackled were somewhat limiting, and there was no existing forum within the inter-sessional work to discuss other cybersecurity related challenges and to look more holistically at cybersecurity challenges. In addition, "cybersecurity" as a term was ill defined within our community, and could benefit from deeper investigation and definition[1] .

In 2016, the first Best Practices Forum on Cybersecurity hence started off with discussions enabling participants to understand the wider context of the word "cybersecurity" for each stakeholder group. The BPF made it clear right from the beginning that this work needed to be conceived as a multi-year project. It then worked to:

  • Identify the communications mechanisms between stakeholder groups to discuss cybersecurity issues;
  • Understand the typical roles and responsibilities of each group in making sure the internet is a secure and safe place;
  • Identify common problem areas in cooperation, and good best practices for doing so.

A set of 10 conclusions were drawn, which broadly echoed multi-stakeholder cooperation as critical, and put particular stress on how stakeholders must understand, respect and trust each other's expertise and competences. The final outcome, including all findings, can be found on the IGF web site[3].

The proposal[4] for the 2017 BPF Cybersecurity was approved by the IGF’s Multistakeholder Advisory Group (MAG) on 11 April 2017[5]. The BPF Cybersecurity reports into the 2017 Main session on cybersecurity at the 12th IGF meeting in Geneva and the BPF document is published as part of the official output of 12th IGF meeting.

 

The 2017 BPF Cybersecurity:  purpose and outline

The Best Practice Forum on Cybersecurity realized that making Internet access more universal, and thus it supporting the United Nations Sustainable Development Goals (SDGs)[1], has significant cybersecurity implications. Well-developed cybersecurity helps to create an enabling environment for ICTs and Internet Technologies to contribute to meeting the SDGs. Poor cybersecurity can reduce the effectiveness of these technologies, and thus limit the opportunities to help achieve the SDGs.

The 2017 BPF explored how cybersecurity influences the ability of ICTs and Internet Technologies to support the achievement of the SDGs, looked at the roles and responsibilities of the different stakeholder groups and aimed to identify policy mitigations that can help ensure the next billion(s) users can be connected in a safe and reliable manner to fully benefit from existing and future technologies. The BPF collected community views on what critical cybersecurity issues would benefit from a multi-stakeholder approach.

This BPF output is the product of a bottom-up, open and iterative process to which all stakeholders were invited to participate. The main steps and methodology are briefly described in the section below

 

Methodology & community input

The approval of the project proposal for BPF Cybersecurity by the 2017 MAG kicked off the BPF’s open and iterative process[1]. The BPF Cybersecurity convened regular virtual meetings open to all interested stakeholders and discussed progress on an open mailing list. Draft versions of the output document were posted for community comment on the IGF website and presented at a dedicated workshop during the 2017 IGF meeting in Geneva.

The BPF Cybersecurity launched a call for contributions[2] to collect substantial community input on the BPF’s subject matter. Drawing primarily from an analysis of the potential cybersecurity implications of the policy suggestions for enabling connectivity and supporting the SDGs formulated by the IGF Policy Options for Connecting and Enabling the Next Billion(s)[3], the BPF invited community input to identify these and additional cybersecurity risks and collect recommendations on how to mitigate them.

In addition to its focus on the SDGs, the BPF asked the community to weigh in on the responsibilities of different stakeholders for mitigating risks, and on what critical cybersecurity issues would benefit from a multistakeholder approach.

The BPF made an effort to seek input from National and Regional IGF Initiatives (NRIs) via an NRI-specific questionnaire.

All contributions are collected on the IGF website, a summary can be found in Annexe 1.

 

Part II: Cybersecurity as an enabler of development[1] 

Section 1:  Cybersecurity's ability to support the SDGs     

Substantial input for this section was generated from the responses to call of contributions, and in particular the questions:

‘How does good cybersecurity contribute to the growth of and trust in ICTs and Internet Technologies, and their ability to support the SDGs?’

‘How does poor cybersecurity hinder the growth of and trust in ICTs and Internet Technologies, and their ability to support the SDGs?’

 

1.1. Trust and Confidence in ICTs and the Internet

‘The Internet needs a solid foundation in trust for its full potential to be realized.’[1] Well-developed cybersecurity contributes to building trust and feeds the confidence in ICTs and Internet technologies enabling them to become instruments used by people and organisations in pursuing their goals.

‘Civil and political rights are clearly boosted by internet access, but the internet also positively impacts economic development when societies can trust in internet-connected systems and robustly interact, and transact online.’[2] Good cybersecurity stimulates growth in users and usage of Internet technologies, which help to accelerate business, make economies grow and increase the wealth that becomes available for distribution, they contribute to the reduction of transaction costs, increase transparency and accelerate knowledge and information transfer. Good cybersecurity stimulates the use of technologies that have the potential to contribute to achieving the SDGs.[3]

In short, cybersecurity helps to build the confidence needed to motivate the use of ICTs and the Internet, and the SDGs drive that energy towards achieving the goals to end poverty, protect the planet and ensure prosperity for all.[4]

 

1.2. The impact of poor cybersecurity

Poor cybersecurity threatens the growth of ICTs and Internet Technologies. Poor cybersecurity exposes organisations and individuals to risks and attacks, and opens doors for ill-meaning parties to spy on actors or meddle with democratic affairs. In a more indirect way, a perception of insecurity creates distrust in ICTs and the Internet and a diminishing adoption of new technologies[1] . Poor cybersecurity will reduce the use and effectiveness of these technologies, and thus limit the opportunities to help achieve the SDGs.[1]

‘Poor cybersecurity hinders growth and trust in ICTs as it leads to lack of confidence in online systems and services, thus discouraging investment and usage. A lack of cyber hygiene increases vulnerability to cyber attacks and reduces the ability to effectively respond to and recover from cyber incidents which in turn promotes a lack of trust in the digital economy.’[2]

 

1.3. The different faces of cybersecurity

Cybersecurity is a broad concept that covers many aspects. A discussion on different definitions of the term ‘cybersecurity’ can be found in the output document of the 2016 BPF Cybersecurity[1].

ICTs and Internet technologies increasingly underpin society, economy, and polity. Cyberspace faces new challenges such as security and stability, infringement on privacy and intellectual property, cyber terrorism and cyber surveillance activities.[2] The submissions to the BPF reflect different expectations, priorities, and perspectives on how cybersecurity can contribute to the growth and trust in ICTs and Internet technologies, and their ability to support achieving the SDGs.  This sections aims to give an overview of the different facets of cybersecurity.

 

Infrastructure

The Internet is a network of networks and the ability to resist cyberattacks is only as strong as its weakest link.[1] Sustainable development of all levels is directly related to the protection of all aspects of this infrastructure, including security.[2]

One contribution introduced the concept of a “public core” which is worthy of protection. This core of the Internet encompasses two elements: ‘(i) a clearly distinguishable “inner core” which consists of the core functionality underpinning the Internet (in particular the forwarding and naming functions and infrastructure of the Internet and those actors responsible for their day to day management), and (ii) a less clearly distinguishable “outer core” of potentially critical functionality, whose impact on the overall stability and security of the Internet as a whole may be uncertain, or which may fluctuate depending on circumstances.’[3]

 

Trade, commerce, industry and production

‘Good cyber security is a means of achieving and sustaining the credibility of the Internet as a safe environment for businesses to thrive and sustain economic value.’[1] Effective cybersecurity is essential ‘to engage fully in the increasingly cyber-dependant trade and commerce. Robust cybersecurity frameworks enable individuals, companies and nations to realise the full potentials of the cyberspace, without fear or reservation, promoting cross-border delivery of services and free flow of labour in a multilateral trading system.’[2]

Cyber attacks, vulnerabilities and security breaches break trust of businesses online, which directly impacts productivity and economic growth in developing countries where ICTs are more adopted for the delivery of services.[3] Small and medium enterprises (SMEs) face the challenge to secure themselves from cyber attacks and to promote confidence and trust in their online services.[4]

 

Privacy/Data protection

Good cybersecurity policies, practices and legislation put people and their rights at the centre. They protect individuals, their data, devices and networks, and foster trust, stability and confidence in ICTs. Poor cybersecurity results in vulnerabilities and data breaches, are catastrophic for privacy and undermine trust in digital developments. Many countries have insufficient or no legislation that protects data.[1]

Technology can be an enabler of all SDGs, but must be secure. Relying heavily on ICTs and the Internet to implement large scale development projects without strong cybersecurity in place leaves some of the world’s most vulnerable people vulnerable in a new way, for example when their sensitive personal information such as biometrics or health data is not sufficiently well protected.[2]

 

Human Rights, Rule-of-law and Democracy

Good cybersecurity contributes to the ‘protection of human rights, democracy and rule of law.’[1] Certain security measures, however, might as well pose a serious threat to these democratic values, in particular where governments are increasingly asserting control over the Internet and stigmatize security measures, such as encryption.[2] ‘Cybersecurity and human rights are complementary, mutually reinforcing and interdependent.’ To avoid that cybersercurity policies have a negative impact, they should incorporate human rights by design[3], states should work together to curb trade of spyware, respecting human rights[4], and actively participate in discussion forums with the other stakeholders[5].

Poor cybersecurity and information breaches might, for example, have an impact on the ability of civil society to campaign against political decisions or weaken the voice of activists.[6]

 

Section 2:  Policy options to mediate cybersecurity threats         

2.1. Mediating threats that undermine the contribution to achieving the SDGs

2.1.1. Introduction - CENB and SDGs

The IGF work on Policy Options for Connecting and Enabling the Next Billion(s) (CENB) is a multi year work programme aiming to develop comprehensive sets of policy recommendations based on broad consultations, bottom up crowdsourcing and cross-engaging the work of the different intersessional work tracks and IGF initiatives.

The first phase in 2015 (CENB I)[1] focussed on infrastructure, increasing usability, enabling users, entering affordability and enabling environments. The subsequent phase (CENB II)[2] discussed how ICTs can help reach the United Nations SDGs. The ongoing CENB III[3] in 2017 narrowed its scope to focus on a limited number of SDGs impacted by ICTs.

The 2017 BPF Cybersecurity builds upon the community work of CENB I and II, and expects to establish cross-fertilisation with CENB III, in particular the CENB discussions related to SDG Goal 9 (Build resilient infrastructure, promote sustainable industrialization and foster innovation).

 

2.1.2. An analysis of the CENB & SDG cybersecurity implications

The BPF performed a cybersecurity assessment of the CENB output documents to identify potential risks and security challenges emerging from the CENB policy recommendations. The BPF focused in particular on the CENB II recommendations, which are directly linked to the SDGs.

The BPF came up with a list of 10 identified threats and cybersecurity challenges:

  1. Denial of Service attacks and other cybersecurity issues that may impact the reliability and access to Internet services;
  2. The security of mobile devices, which are the vehicle of Internet growth in many countries, and fulfill critical goals such as payments or self-identification;
  3. Potential abuse by authorities, including surveillance of Internet usage, or the use of user-provided data for different purposes than intended;
  4. The confidentiality and availability of sensitive information, in particular in medical and health services;
  5. Online abuse and gender-based violence;
  6. Security risks of shared critical services that support Internet access, such as the Domain Name System (DNS) and Internet Exchange Point (IXP) communities;
  7. Vulnerabilities in the technologies supporting industrial control systems;
  8. Use of information collected for a particular purpose, being repurposed for other, inappropriate purposes. For instance, theft of information from smart meters, smart grids and Internet of Things devices for competitive reasons, or the de-anonymization of improperly anonymized citizen data
  9. The lack of Secure Development Processes combined with an immense growth in the technologies being created and used on a daily basis
  10. Unauthorized access to devices that play an increasingly important role in people's daily lives

The detailed analysis of the CENB cybersecurity implications can be found in annexe 2. The CENB II analysis dives deeper into the connection between risks and the SDGs.

 

2.1.3. Policy options to help address the CENB cybersecurity challenges

The BPF identified a list of 10 cybersecurity challenges originating from the CENB policy options (see 2.1.2) and discussed ways to mitigate the risks. This led to a list of policy suggestions to help address each of the challenges.

Substantial input for this section was generated from the feedback on the call for contributions, and in particular from the responses to the question ‘Do you see particular policy options to help address CENB risks?’.  This delivered a long list of suggestions that were subsequently discussed by the BPF and consolidated in 10 sets of policy recommendations. A number of additional concerns and challenges that came up during the BPF discussion are listed in section 2.1.4.

  1. Securing the reliability of and access to Internet services
    1. Technical community members must be incentivized to develop tools and standards to identify and appropriately hold accountable cyber criminals.
    2. Technical solutions to prevent cyber attacks must be pursued first, prior to other policy such as criminalisation. The flow and exchange of solutions to find, mitigate and address vulnerabilities must be promoted[1] .
    3. Governments are encouraged to identify and implement international conventions to address cybercrime, and provide a legal framework for investigation, prosecution and sanctioning. It offers means to criminalize and prosecute cybercrime.
    4. Promote technologies for small and medium enterprises (SMEs) to secure themselves from cyber attack, and which promote confidence and trust in their online services.
    5. Hold the perpetrators of DDoS accountable through technical identification and criminal investigation of attacks. Warnings of DDoS, such as ransom demands, must be quickly disseminated through the network of security practitioners.
    6. Software and product vendors must implement security at all stages of the development lifecycle. Products must be patched to address vulnerabilities throughout their well described lifecycle.
    7. Support technical measures to enhance resiliency of networks and promote access.
    8. Tech and software industry have to recognise customers as such and stop seeing and treating them as users. This changes dependency roles and puts responsibility for (ongoing) security of products where it belongs: the manufacturer is responsible for secure software at the start and for fixing software flaws in a timely manner, and the customer is responsible for correct use within the law. The onus for realising a safer Internet becomes a shared responsibility.
    9. Communicated data for security monitoring should not only be in a unified format but also language (a log in one tool means the same as a log in another tool). Systems are deficient in reliably identifying genuine source and user of an event. Hence perpetrators cannot be tracked. All level of ISPs and Internet coordination bodies must coordinate protocols to respond to malicious activity.
  2. Securing the mobile Internet
    1. The Technical Community must be encouraged to develop and research security solutions and awareness around mobile threats. Developers of mobile technologies must implement a secure development lifecycle. Systems must implement a minimum of built-in security features and capabilities.
    2. Mobile devices must be considered “computer systems” in applicable law, similar to the stipulations of the Budapest Convention.
    3. Due to the wide variety of mobile devices, there are gaps in understanding between users, and the product vendors, on security vulnerabilities. This is especially the case for devices outside of their main support lifecycle.
    4. Repositories for mobile apps should maintain security best practices such as the detection of malicious applications. Mobile applications should use encryption technologies such as HTTPS when communicating over networks.
    5. States must adopt data protection rules, such as Convention 108 of the Council of Europe).
    6. Citizens and users must have access to good policies on how to manage their devices. Governments may need to support low income citizens to ensure they have equal access to this level of support.
  3. Protecting against potential abuse by authorities
    1. Governments and intergovernmental organizations should speak out and criticize the use of technologies by other governments for abusive purposes.
    2. Surveillance undermines privacy and threatens freedom of expression. States  should develop legal and constitutional safeguards to minimize its impact on trust. Prioritizing surveillance often is weakening rather than strengthening security for all concerned.
    3. Criminal law measures should be subject to law safeguards and conditions. These controls apply less to national security services for which stronger supervision and accountability would be needed.
    4. States should support and promote an open internet, safe and secure environment, and consider regulation instead of censorship. States should formulate Privacy and Data Governance policy/laws.
    5. Ethics are an important part of a thriving cybersecurity community. Ethics standards should be endorsed and promoted at all levels, within government industry and society, and with regards to all technologies, including ICTs and IOT technologies.
  4. Confidentiality and availability of sensitive information
    1. Civil society can serve as a watchdog to closely observe when sensitive and confidential information is disclosed.
    2. Countries should implement legal frameworks to address data security concerns, impose security obligations for governments and companies, along with reporting requirements for incidents that allow subjects to take actions to protect themselves from consequences, and governments to be aware of risks and threats in their countries. States must take these rules into account for their own data intensive projects
    3. Applications processing sensitive information must have a secure baseline/applicable controls. Must be certified to ensure this baseline is applied. Sensitive user data must be made available on a “need to know basis”.
    4. Availability of services with critical data pertaining to users must be monitored and managed.
    5. All stakeholders must help privacy by informing users when profiling takes place, and providing audit trails as well as mechanisms to opt out of collection.
    6. Personal data is not owned by a company, but by the user. Transfer of account information to another entity must be managed using descript processes that involve consent. Privacy rules must equally apply to the mobile and app environment[2] .
    7. Private sector and states must acknowledge that jurisdiction in the third world can often be complex, as data is hosted with foreign companies. They should implement measures to provide control to the user in such countries.
  5. Fighting online abuse and gender-based violence
    1. States should develop laws to deter online exploitation.
    2. Partnerships between all stakeholder groups should raise awareness for online abuse and gender-based violence. They should support awareness building and education programmes and commit support resources.
    3. International rapid response teams should be developed to mitigate abuse across platforms and services. Enabling the tracking of an abuser and response to it must be fast-tracked. These processes must be global, and support an ombudsman or review process.
    4. Processes must be defined to remove content when appropriate.
    5. These be addressed in line with the law of the land. Technology providers must provide means of monitoring and law implementation.
    6. States must fully implement CEDAW at the national level to respect, protect and fulfil women's rights, and must pursue a preventive and proactive approach to gender-based violence (GBV). States should recognise GBV as a human rights violation.
    7. Gender-unequal access to technology and women's subordinate status in ICT must be confronted,through for instance affirmative action and subsidies for ICT-related courses. Comprehensive capacity building should be undertaken, in particular by states who should address gender based violence. Companies should take a rights-based approach and adopt the Women's Empowerment Principles. Adequate budgets and resources should be allocated by states to address GBV.
  6. Securing shared critical services and infrastructure that support Internet access
    1. States should implement cybersecurity frameworks such as the US NIST Cybersecurity framework and associated laws.
    2. Technical community should be encouraged to implement DNSSEC, RPKI and other key security technologies with the help of other stakeholders. States should support technical community to work on ccTLD capacity building, IXP services and resiliency development. Protecting these resources is critical, requires a multistakeholder approach and acknowledgement of global interest.
  7. Vulnerabilities in the technologies supporting industrial control systems
    1. To be urgently addressed by the Technical Community.
    2. States and operators of industrial control systems must include disaster preparedness and response, business continuity planning in operations.
    3. The technical community and operators must leverage common language and sound security practices in current standards.
    4. The state of cybersecurity of these systems in developing countries is very poor. States and other stakeholders must support the development and sharing of security practices for ICS such as identifying vulnerabilities, and ensure patches are available.
    5. Operational responsibility must be defined and technology developers held accountable for addressing security vulnerabilities.
    6. States and private sector have to address the question what SCADA and other control systems need an Internet connection and what systems are better kept offline or be disconnected from the Internet in order to be more secure.
  8. Preventing collected information from being repurposed for other, inappropriate purposes.
    1. Management of information is critical. Companies must develop controls for safeguarding the information.
    2. States should enact appropriate laws to criminalise use of information beyond its intended, appropriate purpose.
    3. Private sector should be encouraged to not design devices for ‘data exploitation’, leaving individuals in control of how their data is used.
    4. Stakeholders must acknowledge that the security of the Internet of Things (IoT) is insufficiently understood. Technical community and Private Sector must invest in the development of appropriate security controls for IoT devices.
    5. Culprits of invalid use of information must be charged in line with governing law and Breach victims should be compensated per law.
    6. Ethics standards should be encouraged, and ethics audits of organizations should be encouraged to ensure data is appropriately used within the terms defined by the data holder.
  9. Deploy Secure Development Processes
    1. A Secure Development Lifecycle must be implemented in all software and product development. The Technical community should develop and release guidance on secure development processes, and share information on ongoing failures to drive process improvement
    2. Key industry players should raise awareness, and sponsor national initiatives for standards.
    3. SDL needs to be developed.
    4. Stakeholders should identify good standards and protocols, per country, per region, globally (for issues of cultural sensitivity), including protocols for human-computer interaction, and share these widely.
  10. Prevent unauthorized access to devices
    1. Unauthorized access to devices should be criminalized by enacting appropriate laws. The Budapest Convention offers states a legal framework for prosecuting and dissuading.
    2. Policies must be developed to inform people in developing countries about the risks of unauthorized access.
    3. Policy makers and regulators need to address how to encourage IoT vendors to make devices more secure - and identify new economic incentives to support this change.
    4. Security and privacy are fundamental rights. Legal frameworks must be in place to allow abuse to be challenged.
    5. Current frameworks lack sufficient safeguards, in law or practice, to address the impact of IoT on human rights. Central elements to a solution are: (1) data protection, (2) best available security practices, (3) transparent international processes on coordinated vulnerability disclosure, (4) the implementation (and, when appropriate, enforcement) of existing standards and or (consumer) laws.
    6. Citizens must have complaint mechanisms[3]  on unauthorized access to or disclosure of sensitive information.

 

2.1.4. Additional concerns and challenges

In addition to the cybersecurity challenges related to the CENB policy options, the BPF identified a number of additional cybersecurity concerns that could impact the potential contribution of ICTs and Internet Technologies to achieving the SDGs.

  1. Mitigate a current lack of cybersecurity awareness through awareness building and capacity development
    1. States must become aware of security risks to their and their citizen’s activities. Awareness should be raised by developing best practices and guidelines and sharing them among entities.
    2. Focus on user education
  2. Policy and processes should be developed to improve the cyber resiliency of cities
  3. Number of women in cybersecurity
    1. Diversity in the cybersecurity workforce should be promoted.
    2. The Internet governance forum and other policy forums should provide mechanisms to ensure women's participation in policy discussion and decision making.
  4. Cryptocurrency
    1. Laws should account for the existence of cryptocurrencies and their use in cybercrime, such as acts of ransom, which can be less traceable.
  5. Stakeholders should invest in studying the security implications and influence of social media on cybersecurity
  6. Whistleblower legislation and implementation, administered with excellent judgement.

 

Defining responsibilities for the stakeholder communities

After its analysis of the cybersecurity risks and challenges originating from the CENB policy options and formulation of its own recommendations to address and mitigate them, the BPF discussed responsibilities of the different stakeholder groups and looked for opportunities for stakeholders cooperation.

Substantial input for this section was generated from the feedback on the call for contributions, and in particular from the responses to the question ‘Where do you think lies the responsibility of each stakeholder community in helping ensure cybersecurity does not hinder future Internet development?’

 

Multistakeholder cooperation on cybersecurity - a shared responsibility

‘All stakeholders have a positive role to play in nurturing a trusted and open Internet. We need to work to secure core aspects of Internet infrastructure, to protect the confidentiality and integrity of data that flows over it, and to ensure the right policies are in place to support the technologies, networks and actors that make the Internet work. We do this through collective responsibility and collaboration.’[1]

Each stakeholder community has a responsibility in helping to ensure that cybersecurity does not hinder future internet development. New technologies may be insufficiently secure and cause harm when deployed, while stringent security requirements may prevent the development, deployment, or widespread use of technologies that would generate unforeseen benefits. Stakeholders have the responsibility to foster open inter-stakeholder collaboration and trust relationships, and to infuse a culture of cybersecurity among all stakeholder groups.[2]

Complexity is the reason why multistakeholder efforts are important.[3] There is no one-size fits all solution, and pro-internet policies can take many different shapes.[4] A multi-stakeholder approach to develop future policies on the strengthening of the rule of law in cyberspace, should involve the relevant stakeholders, so that future policies will represent commonly accepted solutions to make the cyberspace more secure.[5] To succeed, it may be necessary to develop strategies to actively reach out to stakeholders and involve them in discussions on common issues.[6]

From the way internet was constituted and works, it follows that ‘each party needs to take a collaborative security approach to foster confidence and protect opportunities. Since every stakeholder has different incentives and different economic interests and different logics (regarding security/privacy/DP), only a good multistakeholder process would bridge these differences.’[7] Cybersecurity is a collective responsibility, and a culture of cybersecurity should be encouraged. [8] “Cybersecurity should be considered a ‘public good’, which promotes collective responsibility for shared benefit.”[9]

On the topic of multistakeholder cooperation on cybersecurity the Internet Society published Principles of collaborative security[10] and a Policy framework for an open and trusted internet[11], and the Commonwealth Telecommunications Organisation (CTO) developed the Commonwealth cybergovernance model[12].

 

Stakeholder communities and their responsibilities 

Disclaimer - recognising responsibilities is not advocating siloed actions

Cyber issues have become increasingly complex and impact across society and economy. This reality will only aggravate, e.g. with the further development of IoT, making siloed responses an increasingly inadequate answer to mediate cybersecurity issues. Only reinforced cross-stakeholder group cooperation and multistakeholder approaches will be able to confront and withstand future challenges.

Against this background, it is important that stakeholders are also aware of their  cybersecurity and cyberhygiene responsibilities, assume them correctly, and have a good understanding of the responsibilities that arise from the activities and competences of the other stakeholder groups. Such insight will be helpful to identify opportunities for multistakeholder cooperation and joint action, and avoid that initiatives by different stakeholders work counterproductive and fail to contribute to an increase of the overall level of security.  

The BPF Cybersecurity called upon the community to help identify the responsibilities of the different stakeholder groups. Substantial input for this section was generated from the responses to the question ‘Where do you think lies the responsibility of each stakeholder community in helping ensure cybersecurity does not hinder future Internet development?’.

 

Governments (and International organisations)

The governments should take ‘a leading role in driving a national and international cybersecurity agenda and setting regulatory and policy priorities’.[1] ‘They play a fundamental role in developing policy and legal frameworks for a secure cyberspace, data protection, protecting critical information infrastructure and enforcing the law against cybercrime, online abuse and gender based violence.’[2] Governments play an essential role in protecting critical infrastructure and prosecuting cybercriminals,[3] and should support and cooperate with banks, credit card companies, insurance companies cell phone companies and other businesses vulnerable to fraud. Governments can facilitate, initiate and/or (financially) support processes that lead to a better cybersecurity environment. E.g. through initiating (discussions on) ISACs, anti-abuse mechanisms, anti-ddos facilities, etc., that industry can then take the lead in.

Nations must become serious about putting in place a robust risk management system, driven by a common cybersecurity strategy. A country-wide vulnerability management strategy is needed. Policies should be in place to ensure stakeholder transparency and accountability in ISP, DNS and IXP communities.[4] Governments could take initiatives for  business, SMEs and entrepreneurs to inform about cybersecurity risks and support by sharing advise and best practice examples.[5]

In terms of policy, governments must encourage solid technology practices such as bug bounties[6], and not exacerbate the problem by hoarding vulnerabilities, or creating backdoors in secure communications tech. Governments must regulate private sector through data protection laws, and other consumer protection. They must pursue policies or treaty options that compel signatories to abide by international principles, norms and standards that ensure cybersecurity and national security measures that employ digital technology are necessary and proportionate. Governments and private sector should cooperate in private sector-government partnerships to improve transparency and to protect disclosures.[7]

The fact that often different government branches are responsible for ICTs, intelligence and national security, and sustainable development poses an extra challenge.[8] When taking on their role, governments should be cautious not to ‘undermine the collaborative approaches and the role of the technical community and industry in identifying risks, providing security of networks and customers, and the role of civil society in safeguarding transparency, accountability, due process and human rights. They should not ‘fuel competition for creating insecurity (...) and not undermine user’s data protection,’[9] for example by stimulating offensive security research to expose vulnerabilities without an intent to fix.

Modern methods of attack may require tackling of cybercrime internationally through aligning legislative initiatives,[10] and International organisations should ensure ‘that all governments do adopt conventions and agreements’[11], at the same time and at the same level.

Governments have the responsibility to reach out and engage with other stakeholders in seeking multistakeholder solutions to cybersecurity challenges as noted and recommended in the prior section on multistakeholder approaches.

 

 

Civil Society

While governments usually take the lead in setting policy and regulatory priorities, the role of civil society is important in monitoring accountability and transparency, and safeguarding due process and human rights.[1]

NGOs have a critical role in raising awareness, and promoting responsible behaviour and safety online.[2] Their activities are fundamental for pressing governments to abide by their obligations to respect rights such as privacy and freedom of expression, for increasing awareness over rights in the digital age, for promoting responsible behavior, and for spreading best practices.[3] NGOs have been important hubs for expanding access policies in developing countries, often being closer to the everyday challenges faced by users than other actors.[4]

 

 

Technical community

It is the responsibility of the technical community and industry to identify risks, provide security of networks, devices and people.[1]

It is important to support efforts to mitigate DoS and other attacks at the technology level, rather than with policy such as criminalisation. Proactive solutions to find, mitigate and disclose vulnerabilities are key to addressing reliability and access. The technical community must develop protocols to prevent their use for exploits such as DDoS[1] .[2]

Technical organisations, such as the IETF, should consider broadening their membership to include all stakeholders, and involve NGOs and stakeholders in their discussions before designing the technical solutions.[3]

Multistakeholder cooperation within the IETF and other standardising bodies could on the one hand focus on swift implementation of standards developed with the technical community as to ensure a safer environment based on the offered solutions, on the other on identifying urgent issues together.

 

Private sector

The private sector should adopt the principle that the best security is the one that is not noticed by the secured. The private sector plays a core role in developing secure technology, secure products and services, as well as in sharing knowledge and best practices[1] with governments and non-governmental organizations.[2]

The private sector must use due diligence to protect human rights, and avoid adverse impact. They have to ensure the correct implementation of protocols and best practices. They must create readable ToS for users, and proactively inform users of software updates.[3]  In addition, it must evaluate its approach from the users’ perspective, taking into account user groups with special needs, e.g. elderly or disabled people, for who information and awareness alone might not be effective.[4]

 

Academia

The Academics’ main responsibility is to guide with scientific research.[1] To avoid a knowledge gap, There’s a considerable lack of knowledge of what is really going,[1] [2]  which is seen by some as problematic. Therefore it is important that also the most recently developed and adopted technologies are included in academic curriculums and research programmes.[2] Academics and security experts should monitor[3] best practices implementation.[4] Policy protections must exist for researchers that seek out vulnerabilities in technology.

 

Section 3:  Areas to develop further stakeholder conversation

 

While the 2017 BPF Cybersecurity was inevitably limited in its own scope, it identified areas and issues that would benefit from a multistakeholder approach. Some of the issue are already been dealt with by one or more stakeholder groups in specific forums. There are great opportunities for dialogue and cooperation among forums. Interested stakeholders are advised to consider joining the existing forums and so further develop multistakeholder dialogue on the issue at stake. Substantial input for this section was generated from the responses to the question ‘‘What is the most critical cybersecurity issue that needs solving and would benefit from a multistakeholder approach?’ and further discussed and consolidated by the BPF.

 

  1. Fostering a culture of cybersecurity, and making sure it is accessible and understood by each stakeholder group; and developing a better set of core values around cybersecurity. Ensure full representation and participation of developing countries in the IGF process.

Existing forums:  UNIDIR[1]

 

  1. Development of internationally-agreed cybersecurity norms.

Existing forums:  UNGGE, GCSC

 

  1. Internet of Things ecosystem security, which accounts for the convergence of safety and security principles and the lack of commercial incentives to secure these devices and services it;

Existing forums:

 

  1. Vulnerability of critical infrastructure and internet resources

Existing forums:  Meridian, GFCE, ISACs

 

  1. Ensure that risk management approaches acknowledge that security is an evolutionary process, and that no security deployment can offer 100% protection.

Existing forums:

 

  1. DoS/DDoS attack, BGP/IP prefix hijacking and DNS abuse

Existing forums: NANOG, FIRST, RIPE, APNIC, AFRINIC, LACNIC, NAWAS of the NBIP

 

  1. Cybercrime

Existing forums: Europol, Interpol, UNODC, Council of Europe

 

  1. State stability and peace in cyberspace

Existing forums:  OSCE, UN

 

  1. Ransomware

Existing forums:  No More Ransom

 

  1. Lack of education and end user awareness/engagement

Existing forums:

 

  1. The UN and ITU need to develop a framework to foster international cooperation and legal principles for cyber security;

Existing forums: GCCS, Council of Europe

 

  1. Cognitive computing and Artificial Intelligence. 

Existing forums:

 

  1. For mobile networks: (1) lack of public and available professional forums to address security threats, (2) low awareness of system administrators in securing next generation networks, (3) expansion of the Internet of Things.

Existing forums:  GSMA

 

  1. A stronger reflection of criminal justice aspects is needed in cybersecurity policies;

Existing forums: Eurojust

 

  1. Extreme threats: Security threats in the digital world evolve faster than established rules, laws and even technical knowledge (i.e. in case of ransomware or other threats of the nascent IoT).

Existing forums:

 

     17. Asymmetric use and access to the Internet

Do cyber threats of different natures pose a greater threat to open societies than to closed ones? From organised crime to democracy undermining activities. Do governments undertake enough or the right activities to protect their respective citizens, institutions and companies?

Existing Forums:

 

    18. Anti-abuse initiatives

Around the world there are organisation fighting abuse through the setting of Internet standards or direct actions against the use of abuse sources.

Existing Forums: M3AAWG, AbuseHUB, Signal Spam, APWG, Stop Think Connect

 

Part III:  Conclusions and way forward

 

Well-developed cybersecurity helps contribute to meeting the SDGs. Poor cybersecurity can reduce the effectiveness of these technologies, and thus limit the opportunities to achieve the SDGs.

 

[ text for Part III to be based on discussion at the BPF Cybersecurity workshop at the IGF]

 

Non-exhaustive list of regular contributors to the BPF discussions

[to be added]

 

Annexes

Annex 1:  contributions to the 2017 BPF Cybersecurity

                        [ cleaned up version Matrix  + questionnaires ]

 

Annex 2:  CENB Phase I & II Cybersecurity-focused policy analysis

CENB Phase II - Cybersecurity-focused policy analysis

Analysis contributed by Andrew Cormack

 

Notes on how cyber-security can affect the achievement of the Sustainable Development Goals (SDGs). Derived from the IGG Policy Options for Connecting and Enabling the Next Billion(s): Phase II. Many of the cyber-security issues affect several SDGs: the connections selected here are chosen as perhaps the best examples of these dependencies.

 

SDG1 (No Poverty) depends on individuals being able to access information over the Internet. Thus it can be disrupted by weaknesses in, and attacks on, the availability of information services and the networks that individuals use in connecting to them. Issues such as denial of service attacks and services that can act as amplifiers for them could therefore affect progress towards this goal. Similar issues arise in SDGs 4 (Quality Education), 10 (Reduced Inequalities), 14 (Life below water) & 15 (Life on Land), and the overall aim of providing “meaningful access”.

 

SDG2 (Zero Hunger) includes farmers seeking information, reporting on local conditions, applying for grants etc. Since such activities may involve implicit or explicit criticism of public authorities, they will be hindered by any perception that those authorities are engaged in surveillance of internet usage.

 

SDG3 (Good Health) includes telemedicine, disease monitoring and the storage of patient data. Developed countries have already experienced setbacks in these areas as a result of incidents affecting the confidentiality and availability of sensitive information held by medical and health services.

 

SDG5 (Gender Equality) is harmed by individuals or organisations using communications technologies to engage in online abuse and gender-based violence.

 

SDG6 (Clean Water) involves using communications technologies for the remote monitoring and control of treatment and pumping equipment. Vulnerabilities in SCADA (Supervisory Control and Data Acquisition) equipment that is connected to shared networks are a major concern that can turn such automation from a benefit into a serious pollution and health threat.

 

SDG7 (Affordable and Clean Energy) depends on the widespread acceptance of smart meters and smart grids. Loss of trust in these systems can easily be caused if monitoring equipment and systems do not keep information confidential, or if information is used for inappropriate purposes.

 

SDG8 (Decent Work and Economic Growth) highlights the importance of mobile payment systems, which are critically dependent on the security of mobile devices such as phones and tablets.

 

SDG9 (Industry, Innovation and Infrastructure) suggests that developing countries may find opportunities to develop disruptive industries in the area of IoT (Internet of Things). However lack of secure development processes are already causing concerns for IoT and any industry based on them could be severely damaged by a security failure in its products.

 

SDG11 (Sustainable Cities and Communities). Many of the technical tools suggested as supporting this aim can also become serious threats to individuals and communities if they are not secure. Criminals, neighbours, governments or even family members with unauthorised access to internet-monitored home security, traffic monitoring or CCTV systems can cause serious privacy, material, physical or emotional harm.

 

SDG16 (Peace and Justice) concerns citizen engagement in government, but also notes that these tools can be used for repression and the spread of prejudice. Either will strongly discourage engagement. Systems used to hold authorities to account must be protected from abuse by those authorities.

 

CENB Phase I - Cybersecurity-focused policy analysis

Analysis contributed by Maarten Van Horenbeeck

The 2017 Best Practices Forum on Cybersecurity is reviewing the cybersecurity implications of policy recommendations made as part of “Policy Options for Connecting and Enabling the Next Billion(s): Phase II”. The outcome of this work will help inform policy makers of the important cybersecurity implications of implementing or evaluating a specific policy option.

In order to ensure a comprehensive review, these notes describe a review of the cybersecurity implications of policy options identified as part of “Policy Options for Connecting and Enabling the Next Billion(s): Phase I”.  While that document did not align with the Sustainable Development Goals, and thus will not be our line of inquiry in approaching the Phase II review, this review is intended to ensure our guidance is comprehensive.

In Appendix A, a set of reviewed policy recommendations, extracted from the Phase I CENB document is listed. Reviewing those, I identified a set of high-level criteria which came up, in many cases repeatedly. I noted some brief security implications of each:

 

1.  Promoting improved and extended broadband infrastructure:

  • Increased broadband increases the risk of vulnerable endpoints being leveraged in high-bandwidth Distributed Denial of Service attacks. Whereas unmaintained, unpatched or unlicensed devices on low bandwidth networks have mostly localized impact, on high bandwidth networks the impact is likely to have more implications at the global network level.

2.  Promoting spectrum increases and promoting increased reliance on wireless modes of operation:

  • Use of spectrum for internet access is subjected to local jamming as a Denial of Service attack, which has different recovery scenarios (they must be triangulated and stopped) than cable disruptions (which can physically be fixed).
  • Wireless network access increases the importance of strong traffic encryption controls.

3.  Promoting increased power grid capacity:

  • Extension of power grid capacity, in particular over greater distances will involve the deployment and reliance on the security of Supervisory Control and Data Acquisition (SCADA) equipment.

4.  Promoting the development of Internet Exchange Points:

  • Internet Exchange Points have strong physical security needs, and imply the use of specialized software and hardware which must be maintained. Use of components with good software security and a standard, maintainable and updatable setup becomes more important as IXPs are more distributed and perhaps run by local teams with less experience.

5.  Promoting user awareness education:

  • Educating users on the use of the internet requires those users to be made aware of security risks and safe conduct online.
  • It requires the development of initial services with human behavior in mind, so the default behavior of users on the services they use as their first entry online is secure.

6.  Deploying government services using an Open Data model:

  • Making data available requires proper anonymization, which is not an easy challenge. Data must be available in aggregate to be of use, but should not be released in such way that permits de-anonymization.
  • Data released by the government must have strong integrity to enable society to make appropriate decisions based on its analysis.
  • When third parties start building on top of the data set, its availability becomes important to permit these third parties to function.

7.  Addressing unsolicited e-mail and other forms of spam:

  • Spam and unsolicited messages may make otherwise effective communication channels difficult or unpleasant to use. Abuse management mechanisms are needed, which should be carefully introduced so as not to lead to censorship or put in place other boundaries on communication.

8.  Promoting the increase of locally relevant content and local language support:

  • Increased local language support, in particular when associated with other character sets may increase the risk of homoglyph attacks on the URIs used for such content, or other, international content;
  • Locally relevant content may not be required to be available globally. These reduced performance requirements may incentivize content creators to store it on local network resources. Having only a single copy of the information available in a region increases the risk of a Denial of Service attack rendering it unavailable, or a local outage causing it to be destroyed.

9.  Promoting national domain name infrastructure:

  • National domain name infrastructure is often less robust than the gTLD’s on which large international enterprises are deployed, such as .com, .net and .org. Increasing reliance on it requires investment in secure domain name and registry infrastructure.

10.  Promoting sharing of passive infrastructure:

  • Shared infrastructure may expose infrastructure owned by one operator to another, requiring the  implementation of strong security controls restricting access;
  • Shared infrastructure reduces overall redundancy of networks. An outage of a single site may affect multiple providers.

11.  Addressing minority and gender-based online harassment:

  • Addressing minority or gender-specific harassment requires contextual knowledge of what “harassment” means and proper reporting channels. These reporting channels may not always be available when a service provider is in a different country, or operating under a different legal framework.

12.  Strengthen telecommunications infrastructure through public private partnerships:

  • Public-private partnerships may include shared operational capability between government and industry providers, which requires strong security controls and separation of duties to ensure the public partners are unable to affect technical implementations e.g. domestic surveillance.

13.  Enabling initiating economic opportunities, such as starting a company online:

  • Bringing services critical to the economy online requires secure development processes to ensure the underlying data stores are protected from unauthorized access and modification;
  • A Denial of Service attack against such services may hamper the ability of businesses to do their work, or citizens to become economically active.

14.  Make internet devices more affordable

  • Increased price pressure without specific quality requirements may result in vendors saving on costly, but important processes such as quality control. This may result in devices being introduced without passing through a software development lifecycle that includes security testing, or a supportable update process.

 

Appendix A: Policy options identified from the Phase I document

http://www.intgovforum.org/cms/documents/policy-options/654-igf-policy-options-for-connecting-the-next-billion-compilation/file

 

1.     Deploying infrastructure

a.     Physical, interconnection layers and enabling technologies

  1. Promote broadband infrastructure (Africa IGF)
  2. Promote power grid capacity (Africa IGF)
  3. Explore creation of continental common toll-free Internet platform to preserve the identity and cultural heritage of Africa (Africa IGF)
  4. Stabilize pricing for internet access service (Ministry of Comm. Brazil)
  5. Improve transcontinental submarine cabling (Ministry of Comm. Brazil)
  6. Groups with major market power are obliged to connect to traffic exchanges, offer full peering, paid peering and traffic (Ministry of Comm. Brazil)
  7. Stimulate investments for broadband roll-out (EuroDig)
  8. Provide public funds where private investment is not enough (EuroDig)
  9. Development of public-private partnerships (EuroDig)
  10. Open access and spectrum for Wi-Fi development (APrIGF)
  11. Spectrum is a common good, policy should be inspired by criteria of public and general interest (EBU)
  12. Pro-competitive broadband policy (ICC Basis)
  13. Policy initiative targeted at specific socio-demographic groups (Annenberg School for Communication)

b.     Mobile

  1. Half of the world’s population has a mobile subscription – mobile helps to provide underserved regions with the opportunity to overcome socio-economic challenges (GSMA)
  2. Making prepaid mobile services available to non-elites, increasing mobile competition to reduce prices (ICT Africa)
  3. Stimulate 3G networks in Niger – mobile credited for nearly all progress on connectivity (IGF Niger)
  4. Promote wireless in areas with reduced electricity coverage (Movimento de Espectro Livre)
  5. Spectrum is finite, ITU estimates 1340-1960 Mhz of spectrum required for 2020 demand (GSMA)

c.     Funding sources: Universal service funds, Public Private partnerships

  1. Universal Service Provision Funds should be used to engender infrastructure into underserved areas and enable affordability (African Regional IGF)
  2. USAF should address institutional environment: oper. Independence, legal clarity, internal capacity + support broadband supply. Successful funds are targeted to address affordability and gaps (Alliance for Affordable Internet)
  3. Investments are currently typically redirected to urban and semi-urban areas (Universal Access Fund and ICT Infrastructure Investment Africa)

d.     Deployment

  1. Development of IXPs and IPv6/IDN deployment play a crucial role (EuroDig)

 

2.     Increasing usability

a.     Applications

  1. Causal relationship between low usage of mobile media tools and internet literacy – even when people have access to the internet, they lack the understanding of it (World Bank)

b.     Services

  1. Citizens need to have information on what governments and private sector are doing to increase access and connectivity, especially in rural areas. Geography and culture must be taken into account (civil society)
  2. Digital content and services are important to drive internet adoption and usage (World Economic Forum)

c.     Local Content, Multilingualism

  1. Content in local languages is important – accessible, cheap and interesting are content requirements (EuroDig)
  2. Representation and participation are uneven, many people are left out of the debate (IGF local content 2014)
  3. Encourage locally relevant content, including protections for freedom of expression, press, privacy and intellectual property, e-commerce infrastructure, consumer protection, trusted online payment systems. Policies must be market driven and based on voluntary commercial arrangements (ICC Basis)
  4. Promote local content (Iberoamerican federation of IT associations)
  5. Local content promotion in Spanish and native American languages (Paraguay IGF)

d.     Media

  1. Most traffic is driven by professionally produced quality content. Local content promoters are now in competition with global content industry (EBU)

e.     Accessibility

  1. Legislative framework on accessibility exists, but awareness raising, education and training of specialists is needed. (Swiss IGF)
  2. Items paid for by the public must be accessible for the public – open access to publicly funded research (Swiss IGF)

 

3.     Enabling users

a.     Human Rights

  1. States and private sector must commit to developing clear standards, procedures for protection and transparency to strengthen human rights on the internet in the region (Asia Pacific Regional IGF)
  2. African IGF session on Human Rights on the Internet:

1.  Establish mechanisms to promote, monitor and popularize African Declaration on Internet Rights and Freedoms and UNESCO’s concept of internet universality

2. Self regulatory, independent objective oversight and sanctioning mechanisms

3.  Meaningful access to ICT includes control over ICTs as a key resource towards advancing status of women and girls and their human rights

4.  Address emerging issue of violence against women

b.     Inclusiveness (Gender, Youth)

  1. Issues: unequal access to internet infrastructure, affordability, gender disparity in education, digital literacy, uneven capacity to use internet for needs and priorities, specific gender-based challenges and barriers (relevant content, gender-based harassment and violence) (2015 IGF BPF on Countering Abuse against Women online)

c.     User literacy

  1. Support open data models, local content development, eLearning initiatives (African Regional IGF)
  2. Principles on Public Access in Libraries (IGF DCPAL)

d.     Digital Citizenship

  1. Fostering public access points in public libraries and community centers, and promoting content creation and digital literacy activities in those places (LAC IGF)
  2. Accessible voting machines, supporting school for blind students, working with low income populations. Promoting access to information. (Microsoft)

e.     Entrepreneurship

  1. Those formerly excluded from economic opportunity can use the internet for all phases of starting their own companies (WEF 2015)

 

4.     Ensuring affordability

a.     Digital divide

  1. Improve investment in R&D to allow Brazil to compete with foreign-produced goods. Otherwise the country does not fully benefit from the internet economy (Movimento de Espectro Livre – Brazil)
  2. Focus on increasing supply and lowering cost of access (Internet Society)
  3. Address spectrum availability for 3G and 4G (Arab IGF)
  4. Increase IXPs at national and regional levels (Arab IGF)
  5. Educate on computer literacy and reduce device cost, which will drive internet use and support establishment of local content (Arab IGF)

b.     Costs of Access per Capita

  1. Infrastructure sharing (e.g. independent tower companies) lowers industry costs (Alliance for Affordable Internet)
  2. Identify appropriate balance between taxation revenue and long-term socio-economic growth. Develop evidence based policies (Alliance for Affordable Internet)
  3. Develop firmware for devices already on the market, so existing devices can be re-used (e.g. OpenWRT) (Movimento de Espectro Livre – Brazil)

 

5.     Creating an enabling environment

a.     Government, Regulatory Authorities and IGO frameworks, laws and regulations

  1. Connecting the next billions should be driven as a project (African Regional IGF)
  2. Ministries of Communications should review plans through multistakeholder cooperation (African Regional IGF)
  3. Governments should demonstrate ability to implement viable policies already in place (do not replace previous govt projects) (African Regional IGF)
  4. Deploy government services using open data model (African Regional IGF)
  5. Effective monitoring of projects and online reporting (African Regional IGF)
  6. Regional multistakeholder approach at the AU-level (African Regional IGF)
  7. Infrastructure sharing at the backbone level and open access to cut costs (Mozambique IGF)                
  8. Fiscal policy and taxation (Mozambique IGF)
  9. Research and Data Collection (Mozambique IGF)
  10. National broadband strategies require extensive public consultation with all stakeholder groups (APC)
  11. Eliminate market protections for incumbent operators (APC)
  12. Increase government investment in public access facilities and awareness raising, focused on disenfranchised groups (APC)
  13. Allow innovative uses of spectrum and new spectrum sharing techniques (APC)
  14. Promote local ownership of small-scale communications infrastructure (APC)
  15. Using public funds and utility infrastructure to ensure national fibre networks move into sparsely populated areas (APC)
  16. Adopt effective infrastructure sharing (APC)
  17. Reduce taxes on ICT goods and services (APC)
  18. Established broadband targets in Digital Agenda for Europe (EC)
  19. Creation of ad-hoc funds to stimulate investment (EC)
  20. Improve digital skills and literacy (Coding week, networks of Digital champions) (EC)
  21. International organizations should show benefits of investments in access, high capacity connectivity, promote healthy, competitive and stable market environments, develop private-public partnerships for non-commercially viable areas, transfer expertise and share best practices (EC)
  22. Promote corporate social responsibilities (Nigeria IGF)
  23. Broadband policy, ICT Policy encouraging investment and Local Content Policy (Nigeria IGF)

b.     Private sector-led initiatives and market strategies

  1. Alliance for affordable internet:

                                    1.  Liberalized market with open, competitive environment

2.  Nurture healthy market competition

3.  Streamline licensing process with no barriers to market entry

4.  Ensure competitive market structure, with no govt ownership of end user providers

5.  Available access at market rates to international gateway or cable

6.  Transparent disclosure of pricing and service options

7.  Permit pre-paid and tiered pricing

8.  Remove barriers to crossing national borders with infrastructure or traffic

  1.  ICC Basis:

1. Open and competitive markets, fair, investment-friendly, comparable regulatory intervention for all actors

2.  Strong reliance on voluntary commercial arrangements

3.  Policies that promote efficiency through engineering-driven design (creation of IXPs)

4.  Policies that promote growth of products and services provided over broadband

  1. Run localized networking initiative with solar backup (Kenya IGF)
  2. Social enterprise that makes broadband available at low cost, based on national fiber optic network (Kenya IGF)

c.     Non-profit, Public-Private partnerships and Other initiatives

  1. Arab IGF:

1.  Foster private-public partnerships to invest in telecom infrastructure to reach out to disadvantaged areas

2.  Establish national and local dialogues on benefits of internet and how it improves economic situation of individuals

3.  Develop policies and regulations that cater for competitive access-price strategy, macro-level affordability

4.  Engage with CSOs to reinforce their role in mobilizing communities they work with

  1. Facilitiate deployment of telecoms infrastructure to facilitate access to spectrum and lower taxes (LACIGF)
  2. Companies must develop business models to break restriction income. Universalize through mobile telephony (LACIGF)
  3. Digital inclusion programs such as distributing computers to children in schools (LACIGF)
  4. Invest in  network services in order to close coverage gap (LACIGF)
  5. Roll-out of optic cables throughout country (Benin IGF)
  6. Promote national TLD (Benin IGF)
  7. Federal Telecommunications Institute of Mexico:

                                    1.  Promote access for persons with disabilities

2.  Make terminal devices and telecom services more affordable and better quality to ensure widespread access

3.  Strengthen telecoms infrastructure by encouraging public-private partnerships

4.  Encourage campaigns for skills building

5.  Encourage multi-stakeholder governance

  1. Facebook:

1.  Reduce the cost of internet access, such as supporting innovative business arrangements like free basics

2.  Promote free and open internet

a.  Do not permit fast lanes, blocking, throttling

b.  Do not introduce laws inhibiting innovation

c.  Innovative practices such as zero-rating can give more people access to content

3.  Expand connectivity infrastructure

a.  Streamline local licensing processes

b.  Reduce legal barriers to entry

c.  Promote sharing of passive infrastructure (dig once, build once)

d.  Tax incentives can accelerate development

  1. Colombia IGF:

1. ICT appropriation linked to access is important to increase impact of government initiatives and reducing digital divide

2.  Promote production of software and local content with social focus

3.  Encourage public internet access strategies, and do not neglect them in favor of mobile access.  Public access links vulnerable communities.

4.  Expand community wireless networks and connection of schools and libraries to rural areas

5.  Reduce or eliminate taxes related to internet access and devices

6.  Reduce gender gap and ICTs

  1. Broadband commission:

1.  Prioritize supply and demand-side policies to full range of broadband infrastructure, applications and services

2.  Initiate and prioritize broadband planning process

3.  Invest in ICTs and digital skills as engine of growth

4.  Review and update regulatory frameworks to take into account evolving models

  1. Expand private and public sector engagement, augment stakeholder community, recruit leaders from various sectors (civil society)
  2. More regional cooperation initiatives to address lack of domestic political will (IGF Niger)
  3. Microsoft:

1.  Openness to dialogue across partners institutions and organizations

2.  Inclusiveness of local actors aware of local needs

3.  Enabling environment for joint planning and execution

4.  Identification of socio-economic development opportunities and priorities

5.  Application of successful models across disciplines

  1. Promote public-private partnerships for connecting remote regions (Telefonica)

Address unsolicited e-mail

Annex 3:  Report of the BPF Cybersecurity session at the 2017 IGF meeting

 

To be added.

Contact Information

United Nations
Secretariat of the Internet Governance Forum (IGF)

Villa Le Bocage
Palais des Nations,
CH-1211 Geneva 10
Switzerland

igf [at] un [dot] org
+41 (0) 229 173 678